Merge branch 'master' of /git/ansible

2018-04-09 13:55:14 +00:00 · 2018-04-09 13:55:14 +00:00 · 0a0efd9e04
commit 0a0efd9e04
parent 82a4b78fce 3a591c2ad3
48 changed files with 315 additions and 176 deletions
--- a/files/hotfix/fedimg/consumers.py
+++ b/files/hotfix/fedimg/consumers.py
@ -1,5 +1,6 @@
+# -*- coding: utf-8 -*-
 # This file is part of fedimg.
-# Copyright (C) 2014 Red Hat, Inc.
+# Copyright (C) 2014-2017 Red Hat, Inc.
 #
 # fedimg is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as
@ -17,11 +18,14 @@
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #
 # Authors:  David Gay <dgay@redhat.com>
-#
+#           Sayan Chowdhury <sayanchowdhury@fedoraproject.org>
+"""
+This is the `fedmsg consumer`_ that subscribes to the topic emitted after the
+completion of the nightly and production compose. The consumer on receving the
+message uploads the image using the API of the cloud providers.
+"""

 import logging
-log = logging.getLogger("fedmsg")
-
 import multiprocessing.pool

 import fedmsg.consumers
@ -29,46 +33,54 @@ import fedmsg.encoding
 import fedfind.release

 import fedimg.uploader
-from fedimg.util import get_rawxz_urls, safeget
+
+from fedimg.config import PROCESS_COUNT, STATUS_FILTER
+from fedimg.utils import get_rawxz_urls, get_value_from_dict
+
+LOG = logging.getLogger(__name__)


 class FedimgConsumer(fedmsg.consumers.FedmsgConsumer):
-    """ Listens for image Koji task completion and sends image files
-        produced by the child createImage tasks to the uploader. """
+    """
+    A `fedmsg consumer`_ that listens to the pungi compose topics and kicks
+    of the process to upload the images to various cloud providers.

-    # It used to be that all *image* builds appeared as scratch builds on the
-    # task.state.change topic.  However, with the switch to pungi4, some of
-    # them (and all of them in the future) appear as full builds under the
-    # build.state.change topic.  That means we have to handle both cases like
-    # this, at least for now.
-    topic = [
-        'org.fedoraproject.prod.pungi.compose.status.change',
-    ]
-
-    config_key = 'fedimgconsumer'
+    Attributes:
+        topic (str): The topics this consumer is subscribed to. Set to
+            ``org.fedoraproject.prod.pungi.compose.status.change``.
+        config_key (str): The key to set to ``True`` in the fedmsg config to
+            enable this consumer. The key is ``fedimgconsumer.prod.enabled``.
+    """
+    topic = ['org.fedoraproject.prod.pungi.compose.status.change']
+    config_key = "fedimgconsumer.prod.enabled"

    def __init__(self, *args, **kwargs):
+        LOG.info("FedimgConsumer initializing")
        super(FedimgConsumer, self).__init__(*args, **kwargs)

-        # threadpool for upload jobs
-        self.upload_pool = multiprocessing.pool.ThreadPool(processes=4)
-
-        log.info("Super happy fedimg ready and reporting for duty.")
+        # Threadpool for upload jobs
+        LOG.info("Creating thread pool of %s process", PROCESS_COUNT)
+        self.upload_pool = multiprocessing.pool.ThreadPool(
+            processes=PROCESS_COUNT
+        )
+        LOG.info("FedimgConsumer initialized")

    def consume(self, msg):
-        """ This is called when we receive a message matching our topics. """
+        """
+        This is called when we receive a message matching our topics.

-        log.info('Received %r %r' % (msg['topic'], msg['body']['msg_id']))
-
-        STATUS_F = ('FINISHED_INCOMPLETE', 'FINISHED',)
+        Args:
+            msg (dict): The raw message from fedmsg.
+        """
+        LOG.info('Received %r %r', msg['topic'], msg['body']['msg_id'])

        msg_info = msg['body']['msg']
-        if msg_info['status'] not in STATUS_F:
+        if msg_info['status'] not in STATUS_FILTER:
            return

        location = msg_info['location']
        compose_id = msg_info['compose_id']
-        cmetadata = fedfind.release.get_release_cid(compose_id).metadata
+        compose_metadata = fedfind.release.get_release(cid=compose_id).metadata

        # Till F27, both cloud-base and atomic images were available
        # under variant CloudImages. With F28 and onward releases,
@ -76,24 +88,57 @@ class FedimgConsumer(fedmsg.consumers.FedmsgConsumer):
        # moved under atomic variant.
        prev_rel = ['26', '27']
        if msg_info['release_version'] in prev_rel:
-            images_meta = safeget(cmetadata, 'images', 'payload', 'images',
-                                  'CloudImages', 'x86_64')
+            images_meta = get_value_from_dict(
+                compose_metadata, 'images', 'payload', 'images', 'CloudImages',
+                'x86_64')
        else:
-            images_meta = safeget(cmetadata, 'images', 'payload', 'images',
-                                  'Cloud', 'x86_64')
-            images_meta.extend(safeget(cmetadata, 'images', 'payload',
-                                       'images', 'AtomicHost', 'x86_64'))
+            images_meta = get_value_from_dict(
+                compose_metadata, 'images', 'payload', 'images',
+                'Cloud', 'x86_64')
+            images_meta.extend(get_value_from_dict(
+                compose_metadata, 'images', 'payload',
+                'images', 'AtomicHost', 'x86_64'))

        if images_meta is None:
+            LOG.debug('No compatible image found to process')
            return

-        self.upload_urls = get_rawxz_urls(location, images_meta)
-        compose_meta = {
-            'compose_id': compose_id,
-        }
+        upload_urls = get_rawxz_urls(location, images_meta)
+        if len(upload_urls) > 0:
+            LOG.info("Start processing compose id: %s", compose_id)
+            fedimg.uploader.upload(
+                pool=self.upload_pool,
+                urls=upload_urls,
+                compose_id=compose_id
+            )
+
+
+class FedimgStagingConsumer(FedimgConsumer):
+    """
+    A `fedmsg consumer`_ that listens to the staging pungi compose topics and
+    kicks of the process to upload the images to various cloud providers.
+
+    Attributes:
+        topic (str): The topics this consumer is subscribed to. Set to
+            ``org.fedoraproject.stg.pungi.compose.status.change``.
+        config_key (str): The key to set to ``True`` in the fedmsg config to
+            enable this consumer. The key is ``fedimgconsumer.stg.enabled``.
+    """
+    topic = ['org.fedoraproject.stg.pungi.compose.status.change']
+    config_key = "fedimgconsumer.stg.enabled"
+
+
+class FedimgDevConsumer(FedimgConsumer):
+    """
+    A `fedmsg consumer`_ that listens to the dev pungi compose topics and
+    kicks of the process to upload the images to various cloud providers.
+
+    Attributes:
+        topic (str): The topics this consumer is subscribed to. Set to
+            ``org.fedoraproject.dev.pungi.compose.status.change``.
+        config_key (str): The key to set to ``True`` in the fedmsg config to
+            enable this consumer. The key is ``fedimgconsumer.dev.enabled``.
+    """
+    topic = ['org.fedoraproject.dev.pungi.compose.status.change']
+    config_key = "fedimgconsumer.dev.enabled"

-        if len(self.upload_urls) > 0:
-            log.info("Processing compose id: %s" % compose_id)
-            fedimg.uploader.upload(self.upload_pool,
-                                   self.upload_urls,
-                                   compose_meta)
--- a/inventory/cloud
+++ b/inventory/cloud
@ -24,6 +24,7 @@ el6-test.fedorainfracloud.org
 el7-test.fedorainfracloud.org
 f26-test.fedorainfracloud.org
 f27-test.fedorainfracloud.org
+f28-test.fedorainfracloud.org
 faitout.fedorainfracloud.org
 fas2-dev.fedorainfracloud.org
 fas3-dev.fedorainfracloud.org
--- a/inventory/group_vars/bodhi2
+++ b/inventory/group_vars/bodhi2
@ -60,6 +60,7 @@ fedmsg_certs:
  - bodhi.update.request.revoke
  - bodhi.update.request.stable
  - bodhi.update.request.testing
+  - bodhi.update.request.batched
  - bodhi.update.request.unpush

  # Things that only the mash does - not the web UI
--- a/inventory/group_vars/fedimg
+++ b/inventory/group_vars/fedimg
@ -3,6 +3,8 @@ lvm_size: 20000
 mem_size: 6144
 num_cpus: 2

+testing: False
+
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

--- a/inventory/group_vars/osbs-masters-stg
+++ b/inventory/group_vars/osbs-masters-stg
@ -40,11 +40,11 @@ osbs_conf_service_accounts:
  - koji

 osbs_conf_readwrite_users:
-  - system:serviceaccount:{{ osbs_namespace }}:default
-  - system:serviceaccount:{{ osbs_namespace }}:builder
+  - "system:serviceaccount:{{ osbs_namespace }}:default"
+  - "system:serviceaccount:{{ osbs_namespace }}:builder"


-osbs_worker_clusters:
+osbs_conf_worker_clusters:
  x86_64:
  - name: x86_64-stg
    max_concurrent_builds: 2
--- a/inventory/group_vars/pdc-backend
+++ b/inventory/group_vars/pdc-backend
@ -23,18 +23,18 @@ csi_relationship: |
 fedmsg-hub daemon that loads the pdc-updater consumer plugin.  However, the
 pdc-updater plugin is configured to do different things in each place.

- On pdc-updater01, the compose handler is enabled which listens for new pungi
+ On pdc-backend01, the compose handler is enabled which listens for new pungi
 composes, and stores them in PDC.  Fedora QE uses this data.  The consumer
 has only a single thread enabled to avoid OOMing itself with more than one
 compose at a time.

- On pdc-updater02, the modularity handlers are enabled which listen for MBS
- activity, and store that in PDC.  pdc-updater02 also hosts the retirement
+ On pdc-backend02, the modularity handlers are enabled which listen for MBS
+ activity, and store that in PDC.  pdc-backend02 also hosts the retirement
 handler which listens to dist-git for new dead.package files, and propagates
 the retirement to PDC (by prematurely EOLing the branch).  Multiple threads are
 enabled so that it can work more efficiently on these smaller tasks.

- On pdc-updater03, the dep chain handlers are enabled which listen for koji
+ On pdc-backend03, the dep chain handlers are enabled which listen for koji
 messages and store dep chain information in PDC, like what rpms depend on what
 other rpms at build time, and what containers depend on what rpms, etc..
 Multiple threads are enabled so that it can work more efficiently on these
--- a/inventory/group_vars/pdc-backend-stg
+++ b/inventory/group_vars/pdc-backend-stg
@ -23,11 +23,11 @@ csi_relationship: |
 a fedmsg-hub daemon that loads the pdc-updater consumer plugin.  However, the
 pdc-updater plugin is configured to do different things in each place.

- On pdc-updater01, the compose handler is enabled which listens for new pungi
+ On pdc-backend01, the compose handler is enabled which listens for new pungi
 composes, and stores them in PDC.  Fedora QE uses this data.  The consumer
 has only a single thread enabled to avoid OOMing itself with more than one
 compose at a time.

- On pdc-updater02, the dep chain and modularity handlers are enabled which
+ On pdc-backend02, the dep chain and modularity handlers are enabled which
 listen for koji and MBS activity, and store that in PDC.  Multiple threads
 are enabled so that it can work more efficiently on these smaller tasks.
--- a/inventory/group_vars/resultsdb-prod
+++ b/inventory/group_vars/resultsdb-prod
@ -76,3 +76,4 @@ fedmsg_certs:
  group: apache
  can_send:
  - taskotron.result.new
+  - resultsdb.result.new
--- a/inventory/group_vars/resultsdb-stg
+++ b/inventory/group_vars/resultsdb-stg
@ -73,3 +73,4 @@ fedmsg_certs:
  group: apache
  can_send:
  - taskotron.result.new
+  - resultsdb.result.new
--- a/inventory/host_vars/branched-composer.phx2.fedoraproject.org
+++ b/inventory/host_vars/branched-composer.phx2.fedoraproject.org
@ -23,6 +23,7 @@ fedmsg_certs:
  - pungi.compose.createiso.targets
  - pungi.compose.createiso.imagefail
  - pungi.compose.createiso.imagedone
+  - pungi.compose.ostree
  - compose.branched.complete
  - compose.branched.mash.complete
  - compose.branched.mash.start
--- a/inventory/host_vars/f28-test.fedorainfracloud.org
+++ b/inventory/host_vars/f28-test.fedorainfracloud.org
@ -0,0 +1,17 @@
+---
+image: Fedora-Cloud-Base-28_Beta-1.3.x86_64
+instance_type: ms1.medium
+keypair: fedora-admin-20130801
+security_group: ssh-anywhere-maintainertest,web-80-anywhere-maintainertest,default,web-443-anywhere-maintainertest,all-icmp-maintainertest
+zone: nova
+tcp_ports: [22]
+
+inventory_tenant: maintainertest
+inventory_instance_name: f28-test
+hostbase: f28-test
+public_ip: 209.132.184.118
+description: f28-test instance
+
+cloud_networks:
+  # maintainertest-net
+  - net-id: "a512d096-3fa2-49cc-b989-d43ca687f91d"
--- a/inventory/host_vars/modernpaste01.phx2.fedoraproject.org
+++ b/inventory/host_vars/modernpaste01.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/

 volgroup: /dev/vg_virthost03
 eth0_ip: 10.5.126.230
--- a/inventory/host_vars/modernpaste02.phx2.fedoraproject.org
+++ b/inventory/host_vars/modernpaste02.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/

 volgroup: /dev/vg_virthost01
 eth0_ip: 10.5.126.238
--- a/inventory/host_vars/osbs-master01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/osbs-master01.stg.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.128.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.128.161
 vmhost: virthost20.phx2.fedoraproject.org
--- a/inventory/host_vars/pkgs02.phx2.fedoraproject.org
+++ b/inventory/host_vars/pkgs02.phx2.fedoraproject.org
@ -6,8 +6,8 @@ gw: 10.5.125.254
 dns: 10.5.126.21
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
 ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
-volgroup: /dev/xenGuests
-vmhost: bvirthost11.phx2.fedoraproject.org
+volgroup: /dev/vg_guests
+vmhost: bvirthost04.phx2.fedoraproject.org
 datacenter: phx2

 mem_size: 16384
--- a/inventory/inventory
+++ b/inventory/inventory
@ -1120,7 +1120,7 @@ newcloud-control
 newcloud-compute

 [newcloud-control]
-control01.cloud.fedoraproject.org
+#control01.cloud.fedoraproject.org

 [newcloud-compute]

@ -1216,6 +1216,7 @@ testdays.fedorainfracloud.org
 [maintainer-test]
 f26-test.fedorainfracloud.org
 f27-test.fedorainfracloud.org
+f28-test.fedorainfracloud.org
 rawhide-test.fedorainfracloud.org
 ppc64-test.fedorainfracloud.org
 ppc64le-test.fedorainfracloud.org
--- a/playbooks/groups/ask.yml
+++ b/playbooks/groups/ask.yml
@ -45,7 +45,7 @@

  roles:
  - role: gluster/server
-    name: gluster
+    glusterservername: gluster
    username: "{{ ask_gluster_username }}"
    password: "{{ ask_gluster_password }}"
    owner: root
@ -53,7 +53,7 @@
    datadir: /srv/glusterfs/ask-stg

  - role: gluster/client
-    name: gluster
+    glusterservername: gluster
    servers:
    - ask01.stg.phx2.fedoraproject.org
    username: "{{ ask_gluster_username }}"
@ -74,7 +74,7 @@

  roles:
  - role: gluster/server
-    name: gluster
+    glusterservername: gluster
    username: "{{ ask_gluster_username }}"
    password: "{{ ask_gluster_password }}"
    owner: root
@ -82,7 +82,7 @@
    datadir: /srv/glusterfs/ask

  - role: gluster/client
-    name: gluster
+    glusterservername: gluster
    servers:
    - ask01.phx2.fedoraproject.org
    - ask02.phx2.fedoraproject.org
--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@ -26,7 +26,9 @@
  - rsyncd
  - apache
  - httpd/mod_ssl
-  - { role: httpd/certificate, name: "{{wildcard_cert_name}}", SSLCertificateChainFile: "{{wildcard_int_file}}" }
+  - role: httpd/certificate
+    certname: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{wildcard_int_file}}"
  - openvpn/client
  - batcave

--- a/playbooks/groups/docker-registry.yml
+++ b/playbooks/groups/docker-registry.yml
@ -67,7 +67,7 @@

  roles:
  - role: gluster/server
-    name: gluster
+    glusterservername: gluster
    username: "{{ registry_gluster_username_prod }}"
    password: "{{ registry_gluster_password_prod }}"
    owner: root
@ -75,7 +75,7 @@
    datadir: /srv/glusterfs/registry

  - role: gluster/client
-    name: gluster
+    glusterservername: gluster
    servers:
    - docker-registry02.phx2.fedoraproject.org
    - docker-registry03.phx2.fedoraproject.org
--- a/playbooks/groups/nuancier.yml
+++ b/playbooks/groups/nuancier.yml
@ -63,7 +63,7 @@

  roles:
  - role: gluster/server
-    name: gluster
+    glusterservername: gluster
    username: "{{ nuancier_gluster_username }}"
    password: "{{ nuancier_gluster_password }}"
    owner: root
@ -71,7 +71,7 @@
    datadir: /srv/glusterfs/nuancier-stg

  - role: gluster/client
-    name: gluster
+    glusterservername: gluster
    servers:
    - nuancier01.stg.phx2.fedoraproject.org
    - nuancier02.stg.phx2.fedoraproject.org
@ -93,7 +93,7 @@

  roles:
  - role: gluster/server
-    name: gluster
+    glusterservername: gluster
    username: "{{ nuancier_gluster_username }}"
    password: "{{ nuancier_gluster_password }}"
    owner: root
@ -101,7 +101,7 @@
    datadir: /srv/glusterfs/nuancier

  - role: gluster/client
-    name: gluster
+    glusterservername: gluster
    servers:
    - nuancier01.phx2.fedoraproject.org
    - nuancier02.phx2.fedoraproject.org
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@ -23,9 +23,9 @@
    - nagios_client
    - hosts
    - fas_client
+    - sudo
    - collectd/base
    - rsyncd
-    - sudo

  tasks:
    - import_tasks: "{{ tasks_path }}/2fa_client.yml"
@ -305,7 +305,8 @@
        state: restarted

  tasks:
-
+    - name: Ensures /etc/dnsmasq.d/ dir exists
+      file: path="/etc/dnsmasq.d/" state=directory
    - name: install fedora dnsmasq specific config
      copy:
        src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
@ -324,12 +325,6 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
-    - name: set policy for koji builder in openshift for osbs
-      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
-      args:
-        creates: "/etc/origin/koji-builder-policy-added"
-      when: env == "staging"
-
    - name: set policy for koji builder in openshift for osbs
      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
      args:
@ -340,6 +335,7 @@
      shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added"
      args:
        creates: "/etc/origin/atomic-reactor-policy-added"
+      when: env == "production"

 - name: Deploy OSBS on top of OpenShift
  hosts: osbs-masters-stg[0]:osbs-masters[0]
@ -399,6 +395,16 @@
  tags:
    - osbs-worker-namespace
  user: root
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  vars:
+    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+    osbs_environment:
+      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
+
  roles:
    - role: osbs-namespace
      osbs_namespace: "{{ osbs_worker_namespace }}"
@ -407,7 +413,6 @@
      osbs_authoritative_registry: "{{ source_registry }}"
      osbs_sources_command: "{{ osbs_conf_sources_command }}"
      osbs_vendor: "{{ osbs_conf_vendor }}"
-      osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
      when: env == "staging"

 - name: setup koji secret in worker namespace
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@ -75,7 +75,7 @@
  - role: apache

  - role: httpd/certificate
-    name: wildcard-2017.fedorapeople.org
+    certname: wildcard-2017.fedorapeople.org
    SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert

  - people
--- a/playbooks/groups/secondary.yml
+++ b/playbooks/groups/secondary.yml
@ -37,12 +37,13 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    name: "{{wildcard_cert_name}}"
+    certname: "{{wildcard_cert_name}}"
    SSLCertificateChainFile: "{{wildcard_int_file}}"

  - role: httpd/website
-    name: secondary.fedoraproject.org
-    cert_name: "{{wildcard_cert_name}}"
+    vars:
+    - name: secondary.fedoraproject.org
+    - cert_name: "{{wildcard_cert_name}}"
    server_aliases:
    - archive.fedoraproject.org
    - archives.fedoraproject.org
--- a/playbooks/groups/torrent.yml
+++ b/playbooks/groups/torrent.yml
@ -26,13 +26,10 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    name: "{{wildcard_cert_name}}"
+    certname: "{{wildcard_cert_name}}"
    SSLCertificateChainFile: "{{wildcard_int_file}}"

-  - role: httpd/website
-    name: torrent.fedoraproject.org
-    cert_name: "{{wildcard_cert_name}}"
-    sslonly: true
+  - {role: httpd/website, vars: {name: torrent.fedoraproject.org, cert_name: "{{wildcard_cert_name}}", sslonly: true}}

  tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@ -16,72 +16,72 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    name: wildcard-2017.fedoraproject.org
+    certname: wildcard-2017.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
-    name: wildcard-2017.fedorahosted.org
+    certname: wildcard-2017.fedorahosted.org
    SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert

  - role: httpd/certificate
-    name: wildcard-2017.id.fedoraproject.org
+    certname: wildcard-2017.id.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
-    name: wildcard-2017.stg.fedoraproject.org
+    certname: wildcard-2017.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
-    name: wildcard-2017.app.os.stg.fedoraproject.org
+    certname: wildcard-2017.app.os.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"
    tags:
    - app.os.fedoraproject.org

  - role: httpd/certificate
-    name: wildcard-2017.app.os.fedoraproject.org
+    certname: wildcard-2017.app.os.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.app.os.fedoraproject.org.intermediate.cert
    tags:
    - app.os.fedoraproject.org

  - role: httpd/certificate
-    name: fedoramagazine.org
+    certname: fedoramagazine.org
    SSLCertificateChainFile: fedoramagazine.org.intermediate.cert

  - role: httpd/certificate
-    name: fpaste.org
+    certname: fpaste.org
    SSLCertificateChainFile: fpaste.org.intermediate.cert

  - role: httpd/certificate
-    name: getfedora.org
+    certname: getfedora.org
    SSLCertificateChainFile: getfedora.org.intermediate.cert

  - role: httpd/certificate
-    name: flocktofedora.org
+    certname: flocktofedora.org
    SSLCertificateChainFile: flocktofedora.org.intermediate.cert

  - role: httpd/certificate
-    name: qa.stg.fedoraproject.org
+    certname: qa.stg.fedoraproject.org
    SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
-    name: qa.fedoraproject.org
+    certname: qa.fedoraproject.org
    SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
-    name: secondary.koji.fedoraproject.org.letsencrypt
+    certname: secondary.koji.fedoraproject.org.letsencrypt
    SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt

  - role: httpd/certificate
-    name: whatcanidoforfedora.org
+    certname: whatcanidoforfedora.org
    SSLCertificateChainFile: whatcanidoforfedora.org.intermediate.crt
    tags:
    - whatcanidoforfedora.org

  - role: httpd/certificate
-    name: fedoracommunity.org
+    certname: fedoracommunity.org
    SSLCertificateChainFile: fedoracommunity.org.intermediate.cert
    tags:
    - fedoracommunity.org
--- a/playbooks/openshift-apps/greenwave.yml
+++ b/playbooks/openshift-apps/greenwave.yml
@ -42,11 +42,11 @@
    key: fedmsg-greenwave.crt
    privatefile: fedmsg-certs/keys/greenwave-greenwave-web-greenwave.app.os.fedoraproject.org.crt
    when: env != "staging"
-  - { role: openshift/object, app: greenwave, file: imagestream.yml }
-  - { role: openshift/object, app: greenwave, template: buildconfig.yml }
-  - { role: openshift/start-build, app: greenwave, name: greenwave-docker-build }
-  - { role: openshift/object, app: greenwave, template: configmap.yml }
-  - { role: openshift/object, app: greenwave, file: service.yml }
-  - { role: openshift/object, app: greenwave, file: route.yml }
-  - { role: openshift/object, app: greenwave, file: deploymentconfig.yml }
-  - { role: openshift/rollout, app: greenwave, name: greenwave-web }
+  - { role: openshift/object, vars: {app: greenwave, file: imagestream.yml }}
+  - { role: openshift/object, vars: {app: greenwave, template: buildconfig.yml }}
+  - { role: openshift/start-build, vars: {app: greenwave, name: greenwave-docker-build }}
+  - { role: openshift/object, vars: {app: greenwave, template: configmap.yml }}
+  - { role: openshift/object, vars: {app: greenwave, file: service.yml }}
+  - { role: openshift/object, vars: {app: greenwave, file: route.yml }}
+  - { role: openshift/object, vars: {app: greenwave, file: deploymentconfig.yml }}
+  - { role: openshift/rollout, vars: {app: greenwave, name: greenwave-web }}
--- a/playbooks/openshift-apps/librariesio2fedmsg.yml
+++ b/playbooks/openshift-apps/librariesio2fedmsg.yml
@ -24,9 +24,9 @@
    secret_name: librariesio2fedmsg-fedmsg-crt
    key: fedmsg-librariesio2fedmsg.crt
    privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.crt
-  - { role: openshift/object, app: librariesio2fedmsg, file: imagestream.yml }
-  - { role: openshift/object, app: librariesio2fedmsg, file: buildconfig.yml }
-  - { role: openshift/start-build, app: librariesio2fedmsg, name: sse2fedmsg-docker-build }
-  - { role: openshift/object, app: librariesio2fedmsg, template: configmap.yml }
-  - { role: openshift/object, app: librariesio2fedmsg, file: deploymentconfig.yml }
-  - { role: openshift/rollout, app: librariesio2fedmsg, name: librariesio2fedmsg }
+  - { role: openshift/object, vars: {app: librariesio2fedmsg, file: imagestream.yml }}
+  - { role: openshift/object, vars: {app: librariesio2fedmsg, file: buildconfig.yml }}
+  - { role: openshift/start-build, vars: {app: librariesio2fedmsg, name: sse2fedmsg-docker-build }}
+  - { role: openshift/object, vars: {app: librariesio2fedmsg, template: configmap.yml }}
+  - { role: openshift/object, vars: {app: librariesio2fedmsg, file: deploymentconfig.yml }}
+  - { role: openshift/rollout, vars: {app: librariesio2fedmsg, name: librariesio2fedmsg }}
--- a/playbooks/openshift-apps/modernpaste.yml
+++ b/playbooks/openshift-apps/modernpaste.yml
@ -14,12 +14,12 @@
    description: modernpaste
    appowners:
    - codeblock
-  - { role: openshift/object, app: modernpaste, file: imagestream.yml }
-  - { role: openshift/object, app: modernpaste, template: secret.yml }
-  - { role: openshift/object, app: modernpaste, file: buildconfig.yml }
-  - { role: openshift/start-build, app: modernpaste, name: modernpaste-docker-build }
-  - { role: openshift/object, app: modernpaste, template: configmap.yml }
-  - { role: openshift/object, app: modernpaste, file: service.yml }
-  - { role: openshift/object, app: modernpaste, file: route.yml }
-  - { role: openshift/object, app: modernpaste, file: deploymentconfig.yml }
-  - { role: openshift/rollout, app: modernpaste, name: modernpaste-web }
+  - { role: openshift/object, vars: {app: modernpaste, file: imagestream.yml }}
+  - { role: openshift/object, vars: {app: modernpaste, template: secret.yml }}
+  - { role: openshift/object, vars: {app: modernpaste, file: buildconfig.yml }}
+  - { role: openshift/start-build, vars: {app: modernpaste, name: modernpaste-docker-build }}
+  - { role: openshift/object, vars: {app: modernpaste, template: configmap.yml }}
+  - { role: openshift/object, vars: {app: modernpaste, file: service.yml }}
+  - { role: openshift/object, vars: {app: modernpaste, file: route.yml }}
+  - { role: openshift/object, vars: {app: modernpaste, file: deploymentconfig.yml }}
+  - { role: openshift/rollout, vars: {app: modernpaste, name: modernpaste-web }}
--- a/playbooks/openshift-apps/release-monitoring.yml
+++ b/playbooks/openshift-apps/release-monitoring.yml
@ -14,11 +14,11 @@
    description: release-monitoring
    appowners:
    - jcline
-  - { role: openshift/object, app: release-monitoring, file: imagestream.yml }
-  - { role: openshift/object, app: release-monitoring, file: buildconfig.yml }
-  - { role: openshift/start-build, app: release-monitoring, name: release-monitoring-web-build }
-  - { role: openshift/object, app: release-monitoring, template: configmap.yml }
-  - { role: openshift/object, app: release-monitoring, file: service.yml }
-  - { role: openshift/object, app: release-monitoring, file: route.yml }
-  - { role: openshift/object, app: release-monitoring, file: deploymentconfig.yml }
-  - { role: openshift/rollout, app: release-monitoring, name: release-monitoring-web }
+  - { role: openshift/object, vars: {app: release-monitoring, file: imagestream.yml }}
+  - { role: openshift/object, vars: {app: release-monitoring, file: buildconfig.yml }}
+  - { role: openshift/start-build, vars: {app: release-monitoring, name: release-monitoring-web-build }}
+  - { role: openshift/object, vars: {app: release-monitoring, template: configmap.yml }}
+  - { role: openshift/object, vars: {app: release-monitoring, file: service.yml }}
+  - { role: openshift/object, vars: {app: release-monitoring, file: route.yml }}
+  - { role: openshift/object, vars: {app: release-monitoring, file: deploymentconfig.yml }}
+  - { role: openshift/rollout, vars: {app: release-monitoring, name: release-monitoring-web }}
--- a/playbooks/openshift-apps/transtats.yml
+++ b/playbooks/openshift-apps/transtats.yml
@ -14,11 +14,11 @@
    description: transtats
    appowners:
    - suanand
-  - { role: openshift/object, app: transtats, template: secret.yml }
-  - { role: openshift/object, app: transtats, file: imagestream.yml }
-  - { role: openshift/object, app: transtats, file: buildconfig.yml }
-  - { role: openshift/start-build, app: transtats, name: transtats-build }
-  - { role: openshift/object, app: transtats, file: service.yml }
-  - { role: openshift/object, app: transtats, file: route.yml }
-  - { role: openshift/object, app: transtats, file: deploymentconfig.yml }
-  - { role: openshift/rollout, app: transtats, name: transtats-web }
+  - { role: openshift/object, vars: {app: transtats, template: secret.yml }}
+  - { role: openshift/object, vars: {app: transtats, file: imagestream.yml }}
+  - { role: openshift/object, vars: {app: transtats, file: buildconfig.yml }}
+  - { role: openshift/start-build, vars: {app: transtats, name: transtats-build }}
+  - { role: openshift/object, vars: {app: transtats, file: service.yml }}
+  - { role: openshift/object, vars: {app: transtats, file: route.yml }}
+  - { role: openshift/object, vars: {app: transtats, file: deploymentconfig.yml }}
+  - { role: openshift/rollout, vars: {app: transtats, name: transtats-web }}
--- a/playbooks/openshift-apps/waiverdb.yml
+++ b/playbooks/openshift-apps/waiverdb.yml
@ -49,11 +49,11 @@
    key: fedmsg-waiverdb.crt
    privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
    when: env != "staging"
-  - { role: openshift/object, app: waiverdb, file: imagestream.yml }
-  - { role: openshift/object, app: waiverdb, file: buildconfig.yml }
-  - { role: openshift/start-build, app: waiverdb, name: waiverdb-docker-build }
-  - { role: openshift/object, app: waiverdb, template: configmap.yml }
-  - { role: openshift/object, app: waiverdb, file: service.yml }
-  - { role: openshift/object, app: waiverdb, file: route.yml }
-  - { role: openshift/object, app: waiverdb, template: deploymentconfig.yml }
-  - { role: openshift/rollout, app: waiverdb, name: waiverdb-web }
+  - { role: openshift/object, vars: {app: waiverdb, file: imagestream.yml }}
+  - { role: openshift/object, vars: {app: waiverdb, file: buildconfig.yml }}
+  - { role: openshift/start-build, vars: {app: waiverdb, name: waiverdb-docker-build }}
+  - { role: openshift/object, vars: {app: waiverdb, template: configmap.yml }}
+  - { role: openshift/object, vars: {app: waiverdb, file: service.yml }}
+  - { role: openshift/object, vars: {app: waiverdb, file: route.yml }}
+  - { role: openshift/object, vars: {app: waiverdb, template: deploymentconfig.yml }}
+  - { role: openshift/rollout, vars: {app: waiverdb, name: waiverdb-web }}
--- a/roles/distgit/pagure/tasks/main.yml
+++ b/roles/distgit/pagure/tasks/main.yml
@ -267,6 +267,7 @@
  - pagure

 - name: Configure cron job for a hourly pagure_poc
+  when: env != 'staging'
  cron:
    name: pagure-poc
    user: root
@ -278,6 +279,7 @@
  - pagure

 - name: Configure cron job for a hourly pagure_bz
+  when: env != 'staging'
  cron:
    name: pagure-poc
    user: root
@ -289,6 +291,7 @@
  - pagure

 - name: Configure cron job for a hourly pagure_owner_alias
+  when: env != 'staging'
  cron:
    name: pagure-poc
    user: root
--- a/roles/fedimg/tasks/main.yml
+++ b/roles/fedimg/tasks/main.yml
@ -17,7 +17,6 @@
  package: name={{ item }} state=present
  with_items:
  - euca2ools
-  when: env == "staging"
  tags:
  - fedimg

@ -44,7 +43,6 @@
      owner=fedmsg group=fedmsg mode=0700
  notify:
  - restart fedmsg-hub
-  when: env == "staging"
  tags:
  - fedimg

--- a/roles/fedimg/templates/fedmsg.d/fedimg.py
+++ b/roles/fedimg/templates/fedmsg.d/fedimg.py
@ -29,6 +29,8 @@ config = {
 }
 {% else %}
 config = {
-    'fedimgconsumer': True,
+    'fedimgconsumer.dev.enabled': False,
+    'fedimgconsumer.prod.enabled': True,
+    'fedimgconsumer.stg.enabled': False,
 }
 {% endif %}
--- a/roles/gluster/client/tasks/main.yml
+++ b/roles/gluster/client/tasks/main.yml
@ -19,14 +19,14 @@
 - name: copy over the client config
  template:
    src: client.config
-    dest: /etc/glusterfs/glusterfs.{{name}}.vol
+    dest: /etc/glusterfs/glusterfs.{{glusterservername}}.vol
    mode: 0640
  #notify:
  #- remount?  no idea...

 - name: mount it up
  mount:
-    src: /etc/glusterfs/glusterfs.{{name}}.vol
+    src: /etc/glusterfs/glusterfs.{{glusterservername}}.vol
    state: mounted
    fstype: glusterfs
    name: "{{mountdir}}"
--- a/roles/gluster/client/templates/client.config
+++ b/roles/gluster/client/templates/client.config
@ -1,4 +1,4 @@
-# Config for {{ name }}
+# Config for {{ glusterservername }}
 # Generated by ansible

 {% for server in servers %}
--- a/roles/gluster/server/tasks/main.yml
+++ b/roles/gluster/server/tasks/main.yml
@ -13,7 +13,7 @@
  - restart glusterd

 - name: make the datapath
-  file: dest={{ datadir }}/{{ name }} state=directory
+  file: dest={{ datadir }}/{{ glusterservername }} state=directory
  notify:
  - restart glusterd

--- a/roles/gluster/server/templates/server.config
+++ b/roles/gluster/server/templates/server.config
@ -1,9 +1,9 @@
-# Config for {{ name }}
+# Config for {{ glusterservername }}
 # Generated by ansible

 volume posix
 	type storage/posix
-    option directory {{ datadir }}/{{ name }}
+    option directory {{ datadir }}/{{ glusterservername }}
 end-volume

 volume locks
@ -22,8 +22,8 @@ volume server-tcp
 	type protocol/server
 	subvolumes iothreads
 	option transport-type tcp
-    option auth.login.iothreads.allow {{ username }}
-    option auth.login.{{ username }}.password {{ password }}
+        option auth.login.iothreads.allow {{ username }}
+        option auth.login.{{ username }}.password {{ password }}
 	option transport.socket.listen-port 6996
 	option transport.socket.nodelay on
 end-volume
--- a/roles/httpd/certificate/tasks/main.yml
+++ b/roles/httpd/certificate/tasks/main.yml
@ -18,7 +18,7 @@
  - httpd
  - httpd/certificate

- name: Copy {{name}}.cert
+- name: Copy {{certname}}.cert
  copy: >
    src={{item}}
    dest=/etc/pki/tls/certs/{{item | basename}}
@ -27,14 +27,14 @@
    mode=0644
  with_first_found:
  - "{{private}}/files/httpd/{{cert}}.cert"
-  - "{{private}}/files/httpd/{{name}}.cert"
+  - "{{private}}/files/httpd/{{certname}}.cert"
  notify:
  - reload proxyhttpd
  tags:
  - httpd
  - httpd/certificate

- name: Copy {{name}}.key
+- name: Copy {{certname}}.key
  copy: >
    src={{item}}
    dest=/etc/pki/tls/private/{{item | basename}}
@ -43,7 +43,7 @@
    mode=0600
  with_first_found:
  - "{{private}}/files/httpd/{{key}}.key"
-  - "{{private}}/files/httpd/{{name}}.key"
+  - "{{private}}/files/httpd/{{certname}}.key"
  notify:
  - reload proxyhttpd
  tags:
--- a/roles/modernpaste/tasks/main.yml
+++ b/roles/modernpaste/tasks/main.yml
@ -80,8 +80,11 @@
  tags:
  - modernpaste

- name: set sebooleans so paste can talk to the db
-  seboolean: name=httpd_can_network_connect_db state=true persistent=true
+- name: set sebooleans so paste can talk to the db and sn2mp can talk to paste
+  seboolean: name={{item}} state=true persistent=true
+  with_items:
+  - httpd_can_network_connect_db
+  - httpd_can_network_connect
  tags:
  - config
  - selinux
--- a/roles/modernpaste/templates/client_secrets.json
+++ b/roles/modernpaste/templates/client_secrets.json
@ -6,7 +6,8 @@
  "client_id": "modernpaste",
  "client_secret": "{{stg_modernpaste_oidc_secret}}",
  "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo",
-  "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+  "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo",
+  "issuer": ["https://id.stg.fedoraproject.org/openidc/"]
  }
 }
 {% else %}
@ -17,7 +18,8 @@
  "client_id": "modernpaste",
  "client_secret": "{{prod_modernpaste_oidc_secret}}",
  "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo",
-  "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo"
+  "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo",
+  "issuer": ["https://id.stg.fedoraproject.org/openidc/"]
  }
 }
 {% endif %}
--- a/roles/modernpaste/templates/config.py
+++ b/roles/modernpaste/templates/config.py
@ -52,7 +52,11 @@ REQUIRE_LOGIN_TO_PASTE = False

 # Authentication method
 # This selects between either local users or oidc (OpenID Connect)
+{% if env == 'staging' %}
 AUTH_METHOD = 'oidc'
+{% else %}
+AUTH_METHOD = 'local'
+{% endif %}

 # OpenID Connect client secrets file
 AUTH_OIDC_CLIENT_SECRETS = '/etc/modern-paste/client_secrets.json'
--- a/roles/nagios_server/templates/nagios/services/websites.cfg.j2
+++ b/roles/nagios_server/templates/nagios/services/websites.cfg.j2
@ -114,6 +114,13 @@ define service {
  use                   websitetemplate
 }

+define service {
+  hostgroup_name        proxies
+  service_description   http-modernpaste
+  check_command         check_website_ssl!paste.fedoraproject.org!/archive!NEXT
+  max_check_attempts    8
+  use                   websitetemplate
+}

 ##
 ## Individual hosts
--- a/roles/openshift-apps/release-monitoring/files/buildconfig.yml
+++ b/roles/openshift-apps/release-monitoring/files/buildconfig.yml
@ -15,7 +15,7 @@ items:
          name="release-monitoring-web" \
          vendor="Fedora Infrastructure" \
          license="MIT"
-        RUN dnf install -y \
+        RUN dnf install -y --enable-repo=updates-testing \
                git \
                python3-blinker \
                python3-dateutil \
@ -30,18 +30,17 @@ items:
                python3-pip \
                python3-psycopg2 \
                python3-setuptools \
+                python3-social-auth-app-flask-sqlalchemy \
                python3-straight-plugin \
                python3-sqlalchemy \
                python3-wtforms && \
            dnf autoremove -y && \
            dnf clean all -y
-        RUN pip-3 install social-auth-app-flask social-auth-app-flask-sqlalchemy
        RUN pip-3 install git+https://github.com/release-monitoring/anitya.git
        ENV USER=anitya
        EXPOSE 8080
        EXPOSE 9940
-        ENTRYPOINT python3 -c "from anitya.config import config; from anitya.lib import utilities; utilities.init('sqlite:////var/tmp/anitya-dev.sqlite', None, debug=True, create=True)" \
-            && python3-gunicorn --bind 0.0.0.0:8080 --access-logfile=- anitya.wsgi:application
+        ENTRYPOINT python3-gunicorn --bind 0.0.0.0:8080 --access-logfile=- anitya.wsgi:application
      type: Dockerfile
    strategy:
      type: Docker
--- a/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml
+++ b/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml
@ -22,6 +22,13 @@ items:
        maxUnavailable: 25%
        timeoutSeconds: 600
        updatePeriodSeconds: 1
+        pre:
+          failurePolicy: Abort
+          execNewPod:
+            containerName: release-monitoring-web
+            command: [ /bin/sh, -i, -c, "alembic -c /etc/anitya/alembic.ini upgrade head" ]
+            volumes:
+            - config-volume
      type: Rolling
    template:
      metadata:
--- a/roles/openshift-apps/release-monitoring/templates/configmap.yml
+++ b/roles/openshift-apps/release-monitoring/templates/configmap.yml
@ -20,7 +20,7 @@ data:
    permanent_session_lifetime = 3600

 {% if env == 'staging' %}
-    db_url = "sqlite:////var/tmp/anitya-dev.sqlite"
+    db_url = "postgresql://{{ anitya_stg_db_user }}:{{ anitya_stg_db_pass }}@{{ anitya_stg_db_host }}/{{ anitya_stg_db_name }}"
 {% else %}
    db_url = "postgresql://{{ anitya_db_user }}:{{ anitya_db_pass }}@{{ anitya_db_host }}/{{ anitya_db_name }}"
 {% endif %}
@ -70,3 +70,38 @@ data:
        [anitya_log_config.root]
            level = "ERROR"
            handlers = ["console"]
+  alembic.ini: |-
+    [alembic]
+    script_location = anitya:db/migrations
+    sourceless = false
+{% if env == 'staging' %}
+    sqlalchemy.url = "postgresql://{{ anitya_stg_db_user }}:{{ anitya_stg_db_pass }}@{{ anitya_stg_db_host }}/{{ anitya_stg_db_name }}"
+{% else %}
+    sqlalchemy.url = "postgresql://{{ anitya_db_user }}:{{ anitya_db_pass }}@{{ anitya_db_host }}/{{ anitya_db_name }}"
+{% endif %}
+    [loggers]
+    keys = root,sqlalchemy,alembic
+    [handlers]
+    keys = console
+    [formatters]
+    keys = generic
+    [logger_root]
+    level = WARN
+    handlers = console
+    qualname =
+    [logger_sqlalchemy]
+    level = WARN
+    handlers =
+    qualname = sqlalchemy.engine
+    [logger_alembic]
+    level = INFO
+    handlers =
+    qualname = alembic
+    [handler_console]
+    class = StreamHandler
+    args = (sys.stderr,)
+    level = NOTSET
+    formatter = generic
+    [formatter_generic]
+    format = %(levelname)-5.5s [%(name)s] %(message)s
+    datefmt = %H:%M:%S
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@ -643,3 +643,7 @@ SCRIPTWHITELIST=/usr/bin/groups
 SCRIPTWHITELIST=/usr/bin/GET
 SCRIPTWHITELIST=/sbin/ifup
 SCRIPTWHITELIST=/sbin/ifdown
+{% if inventory_hostname.startswith(('db','pagure','retrace','anitya','upstream')) %}
+# Set this size very large on postgres running servers.
+IPC_SEG_SIZE=100000000000
+{% endif %}
--- a/tasks/persistent_cloud.yml
+++ b/tasks/persistent_cloud.yml
@ -17,7 +17,7 @@
      login_tenant_name: "{{inventory_tenant}}"
      name: "{{inventory_instance_name}}"
      image_id: "{{ image|image_name_to_id('admin', ADMIN_PASS, inventory_tenant, os_auth_url) }}"
-      wait_for: 300
+      wait_for: 600
      flavor_id: "{{ instance_type|flavor_name_to_id('admin', ADMIN_PASS, inventory_tenant, os_auth_url) }}"
      security_groups: "{{security_group}}"
      key_name: "{{ keypair }}"